Use the ARM Template to Deploy the VM-Series Firewall

Where Can I Use This?	What Do I Need?
Microsoft Azure Microsoft Azure Stack Azure® Marketplace Azure China Marketplace Azure Government Marketplace	VM-Series License (PAYG or BYOL) VM-Series plugin Panorama Panorama plugin for Azure

In addition to Marketplace based deployments, Palo Alto Networks provides a GitHub repository, which hosts sample ARM templates that you can download and customize for your needs. ARM templates are JSON files that describe the resources required for individual resources such as network interfaces, a complete virtual machine or even an entire application stack with multiple virtual machines.

ARM templates are for advanced users, and Palo Alto Networks provides the ARM template under the community-supported policy. To learn about ARM templates, refer to the Microsoft documentation on ARM Templates.

To simplify the deployment of all the required resources, the two-tier sample template (https://github.com/PaloAltoNetworks/azure/tree/master/two-tier-sample) includes two JSON files:

• Template File—The azureDeploy.json is the main resources file that deploys all the components within the resource group.
• Parameters File—The azureDeploy.parameters.json is the file that includes the parameters required to successfully deploy the VM-Series firewall in the VNet. It includes details such as the virtual machine tier and size, username, and password for the firewall, the name of the storage container for the firewall. You can customize this file for your Azure VNet deployment.

To help you deploy the firewall as a gateway for Internet-facing applications, the template provisions the VM-Series firewall, a database server, and a web server. The VNet uses the private nonroutable IP address space 192.168.0.0/16. You can modify the template to use 172.16.0.0/12, or 10.0.0.0/8.

The ARM template also provides the necessary user-defined rules and IP forwarding flags to enable the VM-Series firewall to secure the Azure resource group. For the five subnets—Trust, Untrust, Web, DB, and NAT—included in the template, you have five route tables, one for each subnet with user-defined rules for routing traffic to the VM-Series firewall and the NAT virtual machine.

For the four subnets—Trust, Untrust, Web, and DB—included in the template, you have four route tables, one for each subnet with user-defined rules for routing traffic to the VM-Series firewall.

1. Download the two-tier sample ARM template from the GitHub repository.

   Download and save the files to a local client: https://github.com/PaloAltoNetworks/azure/tree/master/two-tier-sample
2. Create a Resource Group on Azure.

   1. Log in to the Azure CLI using the command: az login

      If you need help, refer to the Azure documentation on installing the CLI, or for details on how to access the CLI on Azure Government or Azure China.
   2. Create a resource group.
3. Deploy the ARM template.

   1. Open the Parameters File with a text editor and modify the values for your deployment:

      In Azure China, you must edit the path for the storage account that hosts the VHD image required to deploy the VM-Series firewall. In the variables section of the template file, find the parameter called userImageNameURI and replace the value with the location where you saved the VHD image.
   2. Deploy the template in the resource group you created.

      az deployment group create --name <YourResourceGroupName>
      
      
      
      --resource-group <YourResourceGroupName>
      
      
      
      --parameters ’@<path-to-template-parameter-azureDeploy.json>’

   3. Check the progress and status of the deployment from the Azure CLI:

      azure deployment group show <YourResourceGroupName>
      
      
      

      When the template is deployed the ProvisioningStateis Running.

      If the ProvisioningStateis Failed, you must check for errors on the Azure portal at Resource GroupEvents. Filter for only events in the last one hour, select the most recent events, and drill down to find the errors.
   4. Verify that you have successfully deployed the VM-Series firewall.

      1. Select DashboardResource Groups, and select the resource group.
      2. Select All SettingsDeploymentsDeployment History for detailed status.
         The address space within the VNet uses the prefix 192.168, which is defined in the ARM template.
   5. Attach a public IP address to the untrust interface on the firewall.
4. Configure the firewall as a VNet gateway to protect your Internet-facing deployment.

   1. Log in to the management interface IP address on the firewall.
   2. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (NetworkInterfacesEthernet).
   3. Add static rules to the virtual router on the firewall. To route traffic through the firewall in this example, you need three static routes on the firewall (NetworkVirtual Routers, select the router and click Static Routes):

      1. Route all outbound traffic through the UnTrust zone, ethernet1/1 to the Azure router at 192.168.1.1.
      2. Route all inbound traffic destined to the web server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1.
      3. Route all inbound traffic destined to the database server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1.
   4. Create security policy rules (PoliciesSecurity) to allow inbound and outbound traffic on the firewall. You also need security policy rules to allow appropriate traffic from the web server subnet to the database server subnet and vice versa.
   5. Commit the changes on the firewall.
   6. Verify that the VM-Series firewall is securing traffic (MonitorLogsTraffic).